I. GENERAL INTRODUCTION – DATA PROTECTION GOVERNANCE
On 25 May 2018 a new European privacy law - the General Data Protection Regulation (GDPR) - will come into force.
Privacy and the protection of personal data are fundamental rights and Eurocommercial is dedicated to respecting this and to observing the rules set out by European and national law.
What is privacy and data protection and why is it important?
Privacy and data protection are (almost) the same and refer to the right of an individual (“the data subject”) to have control over the way their personal data is used. Personal data is information about an identified or identifiable individual. Example of personal data are name, email address and telephone number, but also IP-address, social security number, photographs, video recordings etc. This document often uses the word “processing” to mean any use of personal data, such as recording, sharing, deleting, copying, etc.
People are generally very concerned about their privacy. Any unfair or unlawful processing of personal data generates a lot of public outrage and bad publicity. Our employees, tenants, customers and visitors of shopping centres, therefore, need to know that their personal data is handled correctly when they deal with Eurocommercial. Secondly, violations of data protection laws are subject to large fines. In the Netherlands, the Data Protection Authority can impose a fine of up to € 820,000 or 10% of annual turnover. This is why proper data protection is important.
Roles in data protection law
Data protection law distinguishes between three important roles. This document will refer to the data controller and data processor. The data controller is the entity which – by itself or together with others – determines the means and purposes for the data processing. For example, Eurocommercial – as an employer – is the data controller when it comes to the processing of its employees’ personal data. The data processor is the entity which processes personal data on behalf of the data controller(s). The data processor is usually a supplier of the data controller, such as the party who takes care of payroll management.
Finally, the third important role is the individual whose personal data is processed. This individual is called the data subject.
II. EUROCOMMERCIAL MODEL OF DATA PROTECTION GOVERNANCE
In order to embed data protection in the corporate structure and ensure data protection compliance, Eurocommercial has set up its Data Protection Governance Model, based on three lines of defence:
III. TEN BASIC DATA PROTECTION RULES FOR EUROCOMMERCIAL EMPLOYEES
All members of the Eurocommercial organization, are expected to be aware of and comply with applicable laws.
What are the most important data protection rules?
Data protection law is based on the following basic rules. Please see further down for a short explanation of these rules.
The ten basic rules explained
1. Personal data may only be collected for well-defined purposes.
Personal data is always collected for a specified, explicit and legitimate purpose. These purposes are determined before the processing starts and may not be altered later. A “purpose” is the reason for which Eurocommercial will use the personal data. For example, a Eurocommercial shopping center collects email addresses of shoppers to send its marketing newsletter. Another example is that Eurocommercial processes the bank details of its employees to pay salary every month. The description of the purpose should always be specific enough to enable Eurocommercial to determine whether the processing carried out to achieve this purpose is necessary.
2. Personal data may not be processed in a way that is incompatible with the purpose for which the personal data was collected originally.
Once Eurocommercial has decided to collect data for a specific purpose, it may not further process those data for any reason which is incompatible with that original purpose. For example, if a Eurocommercial shopping center collected email addresses to send its marketing newsletter, those same addresses may not be sold to a third party.
3. Personal data may only be processed after obtaining consent or if necessary for:
a. compliance with a legal obligation;
b. execution of a contract with the data subject, or to take pre-contractual
measures taken in response to the data subject’s request:
c. the legitimate interests of Eurocommercial or a third party to whom the data
After determining the purpose of the processing, it is important to determine whether a justification for processing exists. Obtaining consents is only one example of a justification and should be avoided, if another justification is available.
Consent. Consent should be freely given, specific and informed. Freely given means that the data subject should not feel pressured to give their consent. For this reason, an employee cannot give valid consent to his employer for the processing of their personal data, as the employee is (generally) not free to refuse. Specific means that the consent should relate to specific purposes and must never be a general authorization to process personal data. Informed means that the data subject understands the scope and risks of the processing before giving consent. Note that consent for children younger than sixteen years old must be given by the legal guardian. Consent can always be revoked at any time and, consequently, the processing must cease immediately.
Compliance with a legal obligation. Eurocommercial may be subject to a statutory (non-contractual) obligation or a judicial order which justifies the processing of personal data. For example, several tax laws require the company to process financial data. Law enforcement may request camera footage to investigate a shoplifter. A court may also force Eurocommercial to disclose certain information. In those cases, Eurocommercial is required – and, therefore, permitted – to process personal data. The processing must be strictly necessary for compliance with such an obligation.
Pre-contractual measures. Eurocommercial will have to perform data processing to determine whether it wants to conclude an agreement. For example, if a person applies for a job.
Execution of a contract with the data subject
Eurocommercial may have to process personal data to comply with a contract, but only if the data subject is a party to the agreement. For example, Eurocommercial must process employee data in order to perform the employment agreement. The processing must be strictly necessary for the performance of the contract.
Legitimate interests of Eurocommercial or a third party to whom the data are disclosed
This justification for data processing is the broadest and can, therefore, be very useful. Eurocommercial may have a legitimate interest in performing data processing. However, this interest must be balanced against the rights and freedoms, including the right to data protection, of the data subject. If this balancing test weighs in favor of Eurocommercial, the processing may proceed. If not, the processing is not allowed. This balancing test can be influenced by taking additional safeguards to minimize the impact of the processing on the data subject.
The legitimate interest ground is best understood using an example. Eurocommercial has a legitimate interest to ensure the safety of visitors to its shopping centers. Eurocommercial, therefore, decides to place security cameras. However, these cameras constantly record the movements of visitors, who have a right not to be subject to excessive surveillance. Eurocommercial decides to store the recordings securely so that only the manager and security guards have access to the materials. Moreover, the images are retained for a restricted period of time. The cameras are placed in such a way that only the inside of the shopping center is captured, not the street outside. Finally, Eurocommercial places signs at every entrance alerting visitors to the presence of security cameras. Under those circumstances, Eurocommercial has a legitimate interest in using the cameras which is not outweighed by the interest of the data subjects.
4. Data processing and data retention must be limited to what is necessary to complete the purposes for which the personal data is processed (data minimization).
For example, if the purpose of the processing is to verify the identity of an individual, Eurocommercial could make a scan of the passport or driver’s license. However, it would be sufficient to simply do a visual inspection of the passport, without making a copy. In that way, data processing is limited to what is strictly necessary.
Data processing should not only be limited in scope, but also in time. Once the purpose for the data processing has been completed, the data should be deleted. For example, when an employee leaves the company, there is no more reason to keep track of the days that she was on sick leave. On the other hand, Eurocommercial needs to retain documents which are important to comply with local applicable law, e.g. tax law.
5. Personal data must be protected by confidentiality and technical and organizational security measures.
Eurocommercial has an obligation to keep any personal data confidential and to ensure that its employees are bound by confidentiality.
First, Eurocommercial has an obligation to take appropriate technical and organizational security measures to protect personal data against accidental and unlawful destruction or unauthorized processing. Technical measures may include back-ups, encryption, password-protection, using firewalls or locking rooms with sensitive documents or systems. Organizational security measures include written data protection policies (such as this document), awareness training or regular audits.
Secondly, Eurocommercial under applicable law may have an obligation to notify ‘data breaches’ both to the competent Data Processing Authority and data subjects involved. Further information can be obtained via the Data Breach Notification Protocol.
6. If a service provider processes personal data on its behalf, Eurocommercial, is required to execute a data processing agreement with this party.
Such a data processing agreement should at least include the following provisions:
7. Eurocommercial is prohibited from processing special categories of personal data ‘sensitive personal data’, unless the law provides a specific exemption. Sensitive data is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health, sex life, criminal offences or convictions.
Sensitive data may only be processed in exceptional circumstances. There are a few cases where Eurocommercial will be forced to process sensitive data:
In any other circumstance, it is unlikely that Eurocommercial would need to process sensitive personal data. There are a great deal of general and specific exceptions under local applicable law available to Eurocommercial depending on the circumstances. In a case where you expect to process sensitive personal data please contact the Data Protection Officer to assist in determining whether an exemption applies.
8. Eurocommercial should inform the data subject about how their personal data is processed, by disclosing: the identity of the data controller (which Eurocommercial entity), the purposes for the processing, the categories of personal data and any additional information which may be important for the data subject.
Every act of data processing should come with a privacy statement which explains the data processing to the data subject. This is especially important if the processing is based on consent. Eurocommercial will provide the following information.
This information can be provided in several ways: on paper, on the website, in the or even on a sign (in the case of security cameras).
It is important that the information is provided to the data subject before their data is processed. This generally means when the data subject provides the personal data.
9. Eurocommercial should respect the rights of data subjects to have access to their personal data as well as the right to correct, delete and object to the processing of their data.
Data subjects have the right to access to their personal data held by Eurocommercial and to request the rectification, removal or blocking of data if the processing does not comply with the rules. Furthermore, data subjects may object to the processing of their personal data. Eurocommercial will respond, to any such request by a data subject within one month.
10. Eurocommercial is only allowed to transfer personal data to countries outside the European Economic Area (European Union plus Iceland, Liechtenstein and Norway) under certain strict conditions, for example by executing a special model agreement and/or obtaining approval from the data protection authority.
Not all countries have the same high level of data protection as those applied to countries within the European Union/European Economic Area (EEA). Transferring personal data to “third countries”, such as the United States, could result in a significant drop in privacy for the data subject. Therefore, the transfer of personal data to those third parties is subject to strict rules. These rules are intended to ensure an adequate level of protection. Note that these rules also apply if you transfer the data to a data processor in a third country.
There are a few ways to transfer personal data to third countries:
IV. SPECIFIC CHAPTERS
Eurocommercial has a legitimate interest in conducting email marketing, if such marketing is conducted within the legal requirements. These requirements have been determined in EU law and implemented in local applicable law. In addition to the requirements set out below, please remember that email addresses are personal data and that all rules set out in Chapter II apply as well.
Rule of thumb for consumer marketing
Eurocommercial must obtain the prior consent from the recipient before sending them direct marketing messages.
Rule of thumb for business marketing
Eurocommercial must obtain the prior consent from the recipient before sending them direct marketing messages. With the exception that no prior consent is necessary:
If Eurocommercial obtains an email address in the context of a sale of goods or services, it may send direct marketing messages for its own, similar goods or services, provided that the customer was clearly and explicitly given the opportunity to opt out.
Consent should comply with the basic rules as set out in Chapter II. It should be specific, freely given and informed. It is, therefore, very important to communicate clearly what types of email messages will be sent, when asking for consent. E.g. will it be a newsletter, or will it be sporadic updates about changes to a shopping center or public events?
It is also important to ensure that Eurocommercial can later prove that it has received consent from the recipients. This is often done – both online and on paper – by showing that the person filled out the form which explicitly provides consent.
All direct marketing email messages should include:
Eurocommercial e-marketing policy
Eurocommercial will only send unsolicited e-marketing messages, including information about events at shopping centers, annual reports, press releases, sustainability reports, etc. provided the recipient registered beforehand and gave their prior consent to receiving such messages.
Rule of thumb
Note that it is Eurocommercial’s responsibility to ensure that all cookies placed by third parties (e.g. Google, Analytics, Google DoubleClick etc.) through a Eurocommercial website are only placed after the user has given consent.
No consent is necessary for cookies with the sole purpose of carrying out or facilitating the transmission of a communication over the network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
Consent may be obtained lawfully in one of two ways. Explicitly, which requires the user to make an explicit selection before proceeding, or implicitly, which enables the user to indicate his consent by continuing to use the website. Both methods require that the user is informed about the scope of the data processing before making a decision. Note that explicit consent is always the safer choice, in terms of being able to prove that the user was aware of their decision to give consent.
What are cookies
Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you.
Cookies can be "persistent" or "session" cookies.
When you use and access our website, we may place a number of cookies files in your web browser.
We use both session and persistent cookies on the Service and we use different types of cookies to run the Service.
In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the Service, improve the user experience of the Service, and so on.
What are your choices regarding cookies
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.
Camera surveillance is generally used as an effective way of keeping people and property safe, but it can have an impact on the privacy of those people subject to the surveillance. Though camera surveillance is not illegal, there are a number of restrictions that Eurocommercial should observe. Note that the below restrictions apply in addition to the rules set out in Chapter II.
Eurocommercial Camera Surveillance Policy
Wi-Fi Tracking (WFT) involves the recording of the behavioral patterns of unique visitors on the basis of their mobile devices’ MAC-addresses. Because it involves the recording of unique MAC-addresses in combination with data regarding location, date and time, such information can be considered the processing of personal data. Information regarding location and an individual’s shopping habits can be considered very intrusive information. As such, the use of WFT should include a number of safeguards. These safeguards are in addition to the basic data protection rules, set out in Chapter II.
Eurocommercial WFT Policy